Skip to content

Show 404 instead of authenticating routes that don't exist

John Hope requested to merge poc_exclude_invalid_paths_from_authentication into master

What does this MR do?

See: https://gitlab.com/gitlab-org/gitlab/-/issues/258993#note_422655579

All unrecognized routes are checked for user authentication before presenting a 404, whether or not they actually exist. This produces some unusual side effects (see linked, confidential issue).

This change ensures that URLs that aren't matched by an existing route are sent to the ApplicationController#not_found method rather than ApplicationController#route_not_found, which deliberately authenticates the user.

It also excludes not_found from the authenticate_user! callback.

As of this MR it only affects routes with /-/ in the path. Routes without exhibit the existing behavior.

Changes

A lot of routes fall through the hierarchy to the wildcard

get '*unmatched_route', to: 'application#route_not_found'

when they should route to application#not_found instead. The difference is that the former tries to authenticate the user before redirecting further and the latter doesn't.

If a route would be valid if the group, project (and object, if any) is valid it should call route_not_found. All other mismatched routes should go to not_found.

For example, /gitlab-org/gitlab/-/issues/123/edit, where 123 is a confidential issue, should call route_not_found but /gitlab-org/gitlab/-/issues/123/fish should call not_found.

For that reason, this MR adds a second fallback with higher priority that catches paths with /-/ and routes them to not_found.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by John Hope

Merge request reports

Loading